none
FIM 2010 R2: sync-rule-flow-provisioning-failed RRS feed

  • Question

  • I was trying to provision objects on to AD and found a few error messages as follows

    ""sync-rule-flow-provisioning-failed"

    upon checking the stack trace information it says " An object with DN "CN=first Last, ou=users DC=cotoso,DC=com" alraedy exists in management agaent ADMA"

    My outbound AD sync rule i set to initial flow only  "CN= DispalyName,OU=users,DC=contoso,DC=com ===>DN

    I am trying to provision a new user with the same name as existing one....can any one assist as to how I go about solving this. I was going to create users with same name manually, but it would be nice If I can do it within FIM. Basically how do I develop a better method to calculate a unique DN attribute value trying to provision two objects with the same name (example there is alraedy CN= Mark Chapman exists on AD.

    But if I try to provision another Mark Chapman on to AD it will error..

    I am still learning FIM and that's why I am stuck with this issue.

    Thanks for your help and assistance.

    aw

    Thursday, January 17, 2013 8:34 AM

Answers

  • You have to calculate unique value for CN for AD objects if they are about to exists in the same OU (actually good practice is to make CNs unique domain wide). This is AD requirement not a FIM one. If you want to do this using FIM you need a custom workflow for it - you can do this for example using excellent Craig's powershell activity and some PShell script (done this, works like a charm) http://fimpowershellwf.codeplex.com/

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, January 17, 2013 10:05 AM

All replies

  • You have to calculate unique value for CN for AD objects if they are about to exists in the same OU (actually good practice is to make CNs unique domain wide). This is AD requirement not a FIM one. If you want to do this using FIM you need a custom workflow for it - you can do this for example using excellent Craig's powershell activity and some PShell script (done this, works like a charm) http://fimpowershellwf.codeplex.com/

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, January 17, 2013 10:05 AM
  • HI Hakim

    I am afraid Tomasz Onyszko is absoulutely right, this is something to do with AD and not FIM.

    AD does not let you create a user with the same CN in the same OU, so usually you should do this in another OU if this is what you are doing for a demo or something. I wouldnt straight away jump to a custom workflow activity if i were you. As they require some level of expertise on FIM, and with DN you can do it mostly in the sync rules with some IIF conditions.

    The DN can be calculated in the Synchronization Rule, for example with the following Custom Expression

    "CN="+displayName+",OU=SomeOU,DC=contoso,DC=com"

    The initial flow is executed at the time the user is being created in the target system, AD in your case, so that either has nothing to do with it, but none the less initial flow on the DN is needed.

    Thursday, January 17, 2013 10:27 AM
  • Hi Furqan,

    Thanks for your feedback,

    I am looking for simplest possible solution, I would not wnat to jump on to custom workflow activity

    But if I dont have another alterbnative I guess I will be obliged to use custom work flow.

    However, you mentioned in your reply "

    " with DN you can do it mostly in the sync rules with some IIF conditions.

    The DN can be calculated in the Synchronization Rule, for example with the following Custom Expression

    "CN="+displayName+",OU=SomeOU,DC=contoso,DC=com"

    Are you able to give me some example as to how I can use IIF statement in the sync rule to get unique DN ?

    Thanlk you very much

    Hakim

    Thursday, January 17, 2013 10:47 PM
  • You have to calculate unique value for CN for AD objects if they are about to exists in the same OU (actually good practice is to make CNs unique domain wide). This is AD requirement not a FIM one. If you want to do this using FIM you need a custom workflow for it - you can do this for example using excellent Craig's powershell activity and some PShell script (done this, works like a charm) http://fimpowershellwf.codeplex.com/

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Hi Tomasz,

    Thanks for your response,

    If I dont find any other easier alternative I will want to use the solution you mentioned. I breifly checked the website and downloded the dll. but could not find docuemntation as to how to use it and the powershell script i need.

    I am not sure as to how to upload to the workflow activty list and if you have done this before, can I kindly ask you to elaborate or may be summerised step by step guide as how to actually use this plaese.

    And also, I have basic knowlege of powershell scripting, can you please provide a sample PS script if possible ?

    I appreciate you help and thank you very much

    Regards

     Hakim


    • Edited by aw_hakim Thursday, January 17, 2013 10:59 PM
    Thursday, January 17, 2013 10:54 PM
  • With the Sync Rule you could do something like put people in different OU's based on other attributes like department.

    "CN="+displayName+",OU=" +Department+",DC=contoso,DC=com"

    Of course you should use EscapeDNComponent to ensure that you don't include invalid characters.

    "CN="+EscapeDNComponent(displayName)+",OU=" +EscapeDNComponent(Department)+",DC=contoso,DC=com"

    This could of course still result in name collisions. So you could include additional items

    "CN="+EscapeDNComponent(displayName)+",OU=" +EscapeDNComponent(Department)+",OU=" +EscapeDNComponent(Location)+",DC=contoso,DC=com"

    The custom workflow that Tomasz is recommending isn't that hard to use. You don't have to create your own custom workflow activity you can use the the one that Craig Martin created. Then you can create a PowerShell script to calculate a unique displayname.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Thursday, January 17, 2013 11:04 PM
  • Thanks David,

    Using custom work flow may be the way to go for me,

    I am not an expert in Powershel scripting, but I have a basic understanding. Do you happen to have that PS script by any chance ?

    I appreciate your help and thanks for your guidance 

    Hakim

    Friday, January 18, 2013 12:19 AM
  • Thanks a lot David for your input, of course we should use the EscapeDNComponent.

    Also I usually use the IIF conditions to check if the data is present in those attributes just in case.

    "CN="+EscapeDNComponent(displayName)+  IIF(IsPresent(Department), ",OU=" +EscapeDNComponent(Department) ,"") + IIF(IsPresent(Location),",OU=" +EscapeDNComponent(Location),"") +",DC=contoso,DC=com"

    Friday, January 18, 2013 3:26 AM
  • Hi Hakim

    sorry if my thread mislead you into believing that IIF could be used to check the uniqueness, unfortunately it cannot be used for that purpose.

    Friday, January 18, 2013 3:28 AM
  • Furqan,

    Good suggestion with the use of IIF and IsPresent.

    Hakim,

    I don't have any PowerShell script handy for your situation. But I can highly recommend Windows PowerShell in Action by Bruce Payette as a great way to learn PowerShell. PluralSight.com also has some online classes that Craig Martin commented on favorably.

    http://www.amazon.com/Windows-PowerShell-Action-Second-Edition/dp/1935182137


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Friday, January 18, 2013 3:55 AM
  • With the custom activity (powershell script or otherwise) you check if the DN you want to use is already present. If so you adjust the DN and try again until you get a miss. Then flow the value back to FIM to be used in the sync rules.

    Friday, January 18, 2013 1:18 PM
  • Another option, from the OCG website....
     
    Function Evaluator
    Function Evaluator is a completely free workflow that offers a wider range of functions than the built-in one, such as a Unique Name Generator (which could generate a unique account name, or a contractor id based on a counter), and a Random Password Generator (allowing letters and symbols to be used as well as random numbers). Note: the Function Evaluator is supplied completely free of charge 'as is' and no support is provided for this tool.
    Click here for your free download.
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "aw_hakim" wrote in message news:be1bc9ee-6ba3-4078-b4ba-be045cb91faa@communitybridge.codeplex.com...

    I was trying to provision objects on to AD and found a few error messages as follows

    ""sync-rule-flow-provisioning-failed"

    upon checking the stack trace information it says " An object with DN "CN=first Last, ou=users DC=cotoso,DC=com" alraedy exists in management agaent ADMA"

    My outbound AD sync rule i set to initial flow only  "CN= DispalyName,OU=users,DC=contoso,DC=com ===>DN

    I am trying to provision a new user with the same name as existing one....can any one assist as to how I go about solving this. I was going to create users with same name manually, but it would be nice If I can do it within FIM. Basically how do I develop a better method to calculate a unique DN attribute value trying to provision two objects with the same name (example there is alraedy CN= Mark Chapman exists on AD.

    But if I try to provision another Mark Chapman on to AD it will error..

    I am still learning FIM and that's why I am stuck with this issue.

    Thanks for your help and assistance.

    aw


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, February 4, 2013 1:32 PM
  • Nobody considers just using the sAMAccountName for the CN="xxx" part?

    You can look with a workflow if your CN="Displayname" is unique at creation. But what if an other process (e.g. a Department change) changes the OU location of your object. Are you going through all the trouble again then to make sure your DN path remains unique?

    I would just use "CN="+EscapeDNComponent(accountName)+",OU=" +EscapeDNComponent(Location),"") +",DC=contoso,DC=com"

    As the accountName has to be unique domain wide, you're sure your DN's are unique aswell... Keep it simple no?


    http://setspn.blogspot.com

    Tuesday, February 5, 2013 8:27 AM